Didier Stevens

Thursday 21 June 2018

Validating Your Downloads

Filed under: Announcement,My Software — Didier Stevens @ 0:00

Occasionally, a comment is posted on my blog to report that the posted hash of a file doesn’t match the hash of the downloaded file. Often, it’s because the reader calculated the hash of my program, and not the hash of the downloaded ZIP file, containing the program.

Let’s clarify this. Here is an example of download details I use in my blog posts:

hash_V0_0_5.zip (https)
MD5: 2A4D61F692D935E27E4BECA642F19D97
SHA256: 5DA5B59EBC6EB0FADEA868E631057BF14C29486405F75D8183C48FE4631B81A2

First you have the HTTP download link to the file, and then you have the HTTPS download link of the same file.

Next, you have the MD5 hash and SHA256 hash of the hosted file, e.g. the ZIP file.

The links and hashes are served by one host (blog.didierstevens.com), and the file is served by another host (didierstevens.com).

To validate that the file you downloaded has not been tampered with, or corrupted during the download, you have to calculate the hash of the downloaded file (if it’s a ZIP file, calculate the hash of the ZIP file, not of the archived files) and compare this with the hash I published.

If you don’t have a tool to do this, you can use my hash.py tool like this:

1 Comment »

  1. […] Validating Your Downloads […]

    Pingback by Overview of Content Published in June | Didier Stevens — Monday 2 July 2018 @ 0:01

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.